# Row-level security

The data model serves as a facade of your data. With row-level security,
you can define whether some [data model][ref-data-modeling-concepts] facts are exposed
to end users and can be queried via [APIs & integrations][ref-apis].

Row-level security in Cube is similar to row-level security in SQL databases.
Defining whether users have access to specific facts from [cubes][ref-cubes] and
[views][ref-views] is similar to defining access to rows in database tables.

__By default, all rows are *public*,__ meaning that no filtering is applied to
data model facts when they are accessed by any users.

## Managing row-level access

You can use [data access policies][ref-dap] to manage both [member-level][ref-mls]
and row-level security based on [user attributes][ref-security-context] or groups.

Here's an example of how to filter rows by a user attribute using data access policies:

<CodeTabs>

```yaml
cubes:
  - name: orders
    # ...

    access_policy:
      - role: manager
        row_level:
          filters:
            - member: country
              operator: equals
              values: [ "{ userAttributes.country }" ]
```

```javascript
cube(`orders`, {
  // ...

  access_policy: [
    {
      role: `manager`,
      row_level: {
        filters: [
          {
            member: `country`,
            operator: `equals`,
            values: [ securityContext.country ]
          }
        ]
      }
    }
  ]
})
```

</CodeTabs>


## Advanced scenarios

For more complex scenarios, you can use [`query_rewrite`][ref-query-rewrite] for programmatic query filtering or adjust the [`sql` parameter][ref-cubes-sql] in [dynamic data models][ref-dynamic-data-modeling].


[ref-data-modeling-concepts]: /product/data-modeling/concepts
[ref-apis]: /product/apis-integrations
[ref-cubes]: /product/data-modeling/concepts#cubes
[ref-views]: /product/data-modeling/concepts#views
[ref-cubes-sql]: /product/data-modeling/reference/cube#sql
[ref-dynamic-data-modeling]: /product/data-modeling/dynamic
[ref-query-rewrite]: /product/configuration/reference/config#query_rewrite
[ref-dap]: /product/auth/data-access-policies
[ref-mls]: /product/auth/member-level-security
[ref-security-context]: /product/auth/context